Protecting Sensitive Business Data on Smartphones

Attacks on mobile devices are maturing, and in the next few years they'll become the main target of hackers. Yet 34 percent of Americans don't even take basic steps to secure their smartphones, Consumer Reports found in a survey released this May.

Since many companies now allow employees to use personal smartphones for work, the problem of unsecured mobile devices puts sensitive business data at risk. Users and bring-your-own-device (BYOD) administrators alike need to be familiar with and committed to best practices for smartphone security—same as with corporate-supplied phones.

Those best practices are detailed a bit further down in this article. But first, two specific aspects of smartphone security need more elaboration: Jailbreaking and apps.

Jailbreaking

Hackers can do the most significant damage on smartphones altered at an administrative level. "Jailbreaking" (iOS) or "rooting" (Android) is a technique performed deliberately by users to gain access to device resources normally blocked off.

Any BYOD policy worth its salt, therefore, must include a strictly enforced "no jailbreaking or rooting" rule.

Apps

Aside from possible loss or theft, use of unsupported third-party mobile apps (those that may conflict with corporate policies) pose the biggest risk to sensitive business data, Zumerle said.

Gartner predicts that by 2017, 75 percent of mobile security breaches will be the result of app/cloud service misconfiguration. Companies may not even be aware that leaks exist.

There are two aspects to the app issue:

App source - All iOS apps go through a strict vetting process, so iPhone users are safe, but Android apps are available from sources other than the Google Play store. Such unapproved apps should never be installed on a business-use smartphone.

Permissions - Here again, Android users are more at risk. When installing an app, the user (or admin) should carefully check the entire list of permissions for anything suspicious. Avoid giving apps access to contacts, current location, or other personal data unless absolutely necessary. iOS users should check Location Services.

A well-thought-out spartphone use policy is the first, best defense against app-related threats, Zumerle advised. Enterprise mobility management tools translate the mobile policy into technical controls.

What considerations and techniques should be included in a smartphone security policy?

Start with the obvious: any data stored on a smartphone should be backed up to a corporate or secure third-party cloud. (Cloud backup/sync should use data encryption, two-step verification, and password-protected file sharing.) Ideally, this is set up to happen automatically, but if not it should be tied to daily business workflows.

Second, to protect business information, some level of enforced smartphone management is needed, whether the phone is BYOD or corporate-supplied. This is a combination of hardware/software configuration, processes, and training, including:

Keep the smartphone's operating system and apps up-to-date.

Install antivirus/malware software on Android devices.

Set up a virtual private network (VPN) for accessing corporate systems from smartphones.

Establish external malware control on content before it's delivered to mobile devices.

Limiting the use of public Wi-Fi networks, and using tools to reduce the associated risk, is also a best practice worth calling out.

He added that mobile threat defense tools no exist, which warn users when connecting to potentially dangerous networks.

Third, IT admins and users should work together preparing for what to do if a business use smartphone is lost or stolen. Such as:

Enable the remote find/lock/wipe feature built into the operating system. If more robust features are needed, install an app.

Configure the screen lock feature to auto-lock after several minutes of inactivity. Ideally, use a passcode longer than four digits. Also, consider setting a "retry" limit on passcode guesses that erases data after too many attempts.

If a business use smartphone is lost or stolen, the preparation discussed above comes into play. With appropriate tools, business information stored on or accessible with the device can be protected using remote lock and/or data wipe. Also, notify the wireless provider and the police.

Finally, although it's secondary to securing data, a few measures might be called for to protect the phone itself:

Use a wireless proximity alarm system to alert the user if the smartphone goes astray.

Protect the hardware in a waterproof/shock resistant case.

Purchase insurance to cover the cost of replacing the phone.

Summary

A portable, handheld device is highly losable or stealable; business information need not be.

Protecting sensitive business data on smartphones is mostly about information, not hardware. A smartphone is really just an interface for and means of storing business data. Prudent use of cloud services and other tools ensure that nothing important is lost even if the smartphone is.

About the Author

Mae Kowalke is a journalist and communications professional who specializes in covering business technology. She has written extensively about VoIP, CRM, ERP and a range of other technologies, both as a reporter and a blogger.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.